Every time a new major virus makes its way through the Internet, countless individuals suffer from needless infection fears, and for good reasons. You sit down to check your email, and find messages that are either:

  1. From individuals warning that you have sent them a virus
  2. Automated "You have sent a virus" replies from email systems
  3. Bounced messages with infected attachments that you didn't send

No matter how careful you are in protecting your computer, your pulse quickens and you begin to have doubts that perhaps your system has somehow been infected.

Before becoming too alarmed, keep this in mind: Almost every successful virus campaign now "spoofs" the sending address.

The Implications of Spoofing:

In the good old days (just a few years ago) viruses would send copies of themselves with the actual "From" address that belonged to the infected machine's owner. Because this made contacting and warning senders very easy, infected computers could be quickly identified and cleaned, or at least turned off.

In order to spread their creations more efficiently, virus writers began instructing their programs to use fake addresses in the "From" field when sending infected emails to others. This tactic effectively prevents recipients from knowing exactly who sent them the virus, and so they are unable to warn the appropriate individuals.

While effective, this tactic makes it fairly easy to identify incoming viruses, thereby preventing infection. For instance, many recent variants have claimed to be "security updates" from Microsoft. Once users have been warned to watch out for emails appearing to be from Microsoft, and are made aware that Microsoft does not email executable attachments, infection rates can be reduced.

To overcome this, the most popular methodology now in uses random, but real, email addresses for "spoofing" the sending address. After infecting a computer, most viruses will collect actual email addresses not only from email software address books, but also from received emails and even unrelated files such as word processing documents. When sending infected emails to others, the virus will most often randomly insert one of these addresses into the "From" field.

The effect of this tactic is that you never really know who sent you the virus, and as a result, you cannot warn them. Due to the random nature of the address selection, you will occasionally even receive a virus email where it appears that you have sent a virus to yourself!

Spreading the Fear

This brings us to the mechanisms that create widespread fears of infection:

Unfortunately, in each case it is not the actual sender who is being notified, but the owner of the "spoofed" address. After receiving enough of these types of emails, even the most cautions and diligent user is understandably going to have some concerns.

However, once you understand the methodology of the viruses and also of the behavior of the typical email server, you soon will realize that receiving such emails has nothing to do with being infected, but instead it is a result of your popularity, in a sense. Consider that the more email you have sent, and the more people who have your address saved in their email software, the more copies of your address there are in circulation, and thus available for use in spoofing by infected systems.

Who's to Blame?

At this point you might be asking yourself "Why does everyone still continue to send warnings to "spoofed" senders?"

Individuals who send personal messages warning of infection make up a miniscule fraction of such warnings and can be excused for such ignorance by their good (if misdirected) intentions. Those who manage email servers on the other hand, deserve no latitude.

It is highly unlikely that any email administrator is unaware of the vast use of "spoofing" tactics by viruses. It's also hard to imagine that they do not realize that such virus warnings typically outnumber the viruses themselves (viruses are often blocked, the warnings seldom are).

Finally, it's actually arguably negligent that so many systems will bounce inbound email without first scanning for viruses. Failure to do so essentially offers aid to virus writers by further spreading infection to innocent users who have had their address "spoofed."

Stop the Insanity

First, if you receive an infected email, don't bother sending a reply. It won't reach the owner of the actual infected machine.

More importantly, the next time you receive an automated virus warning or a bounced and still infected email that you didn't send, complain to the owner of the system that sent it. There is no good reason that email administrators cannot change their policies and behaviors to acknowledge the reality that such emails are an irresponsible nuisance to millions of innocent users.

If they resist, remind them that the "From" address is seldom, (if ever) the actual sender anymore. They know this, but remind them anyway.

Further, point out the potential consequences of bouncing infected emails that were sent to invalid addresses. I doubt you'll find any email administrator who wants to aid the authors of such viruses. If they insist that they must bounce emails to inactive accounts, at least suggest they run these message through their virus scanning systems first.

Finally, relax. Do your best to diligently avoid infection, but don't panic just because someone accuses you of sending a virus, or because of a bounced virus email.

Ironically, if your computer actually is infected, the bounces and warnings will likely never reach you, they're being sent to someone else!


Copyrighted with all rights reserved by Stephen M. Canale